Login
      Contents x
      Integrate Microsoft Azure with Red Canary
      • 15 Nov 2024
      • 8 Minutes to read
      • PDF
      Contents

      Integrate Microsoft Azure with Red Canary

      • Updated on 15 Nov 2024
      • 8 Minutes to read
      • PDF
      Article summary

      Integrating Microsoft Azure with Red Canary enhances cloud security by providing advanced threat detection and response capabilities. This integration allows organizations to gain deeper visibility into cloud environments, identify and prioritize critical threats, and accelerate incident response times, ultimately reducing the risk of data breaches and downtime. To integrate Microsoft Azure with Red Canary, follow the procedure below from beginning to end. Once all steps are completed successfully, the data should be flowing successfully into Red Canary within 4 hours or less.

      Prerequisites

      • Ensure you are subscribed to Red Canary's Cloud Control Planes license.

      • You must have Azure Global Admin rights.

      • Enable “Access management for Azure resources” for your Azure Global Admin account.

      • Users performing integration steps need the Owner role on the management group. To grant this, use the command below (permissions can be revoked after validation):

      az role assignment create --assignee <User ID> --scope "/" --role "Owner"

      Note: You may experience a potential increase in Azure costs depending on the volume of new logs exported to your Log Analytics workspace as part of the MDR for Azure integration.

      • Affected Logs: Log Analytics Workspace, Log Analytics Data Export, Platform Logs (Storage Diagnostic Settings)

      • For more information, see Pricing - Azure Monitor

      Azure Region Support:

      Microsoft Azure’s region uaenorth does not currently support Premium Event Hubs. The impact of this is that Red Canary currently cannot process telemetry or alerts from infrastructure in the uaenorth Azure region. This is expected to continue at least through October 2024.

      Step 1: Setup the Azure infrastructure

      Download the Red Canary Bicep file and upload it to your Azure Cloud Shell.

      1. From your Red Canary homepage, click Microsoft Azure.

      2. Enter a name for your new Microsoft Azure integration.

      3. Click Red Canary Bicep File to download the required file. You’ll use this in a later step.

      4. Copy and then save the command below. You’ll use this in a later step.

        Note: For the <TenantId> below, enter your Azure Tenant ID.

        az deployment mg create --name 'RCLogIngestPolicy' \
  --location eastus \
  --template-file RedCanary.bicep \
  --management-group-id <TenantId>


        Microsoft Azure

      5. From your Microsoft Azure homepage, click Cloud Shell.

      6. From the Cloud Shell dropdown, select Bash.

      7. Click Upload File.

      8. Click Upload.

      9. Select the Red Canary Bicep File you downloaded in Step 1.4.

      10. From the Cloud Shell command, paste and then run the command from Step 1.5.

        Red Canary

      11. Select I’ve deployed the Bicep file.

      12. Copy the entire command below and then save the command. You’ll use this in a later step.

        az account list --query "[].id" \
  --out tsv | xargs -I {} -P 10 az policy remediation \
  create --name RCLogConfigurationAccessDeploy --policy-assignment RCLogConfigurationAccess \
  --resource-discovery-mode ReEvaluateCompliance --subscription "{}"

az account list --query "[].id" \
  --out tsv | xargs -I {} -P 10 az policy remediation \
  create --name RCAutomationRgDeploy --policy-assignment RCAutomationRg \
  --resource-discovery-mode ReEvaluateCompliance --subscription "{}"


        Microsoft Azure

      13. From the Cloud Shell command, paste and then run the entire command from the step above.

        Note: This command runs a remediation to apply the diagnostic setting policies to all existing subscriptions.


        Red Canary

      14. Select I’ve Connected my existing subscriptions.

      15. Click Next.

      Step 2: Configure an Azure Log Analytics workspace to collect Entra ID logs

      For Red Canary to start receiving your telemetry, you must send your data from your environment to an Azure log analytics workspace.

      Note: If you already have an Azure log analytics workspace ingesting logs, including ADFSSignInLogs, AuditLogs, ManagedIdentitySignInLogs, ServicePrincipalRiskEvents, ServicePrincipalSignInLogs, SignInLogs, and UserRiskEvents, select I already have a Log Analytics workspace set up and continue on to Step 2.20.

      1. Select I need to set up a Log Analytics workspace.


        Microsoft Azure

      2. Login to Microsoft Azure using a Global Admin account for the tenant that you want to integrate with Red Canary.

      3. In the search bar, type and then select Resource groups.

      4. Click +Create.

      5. From the Subscription dropdown, select the subscription which you would like to house your Azure Log Analytics Workspace.

      6. Enter a Resource Group name.

        (Example: Red_Canary_Resources)

      7. From the Region dropdown, select your local region.

      8. Click Next: Tags >.

      9. Click Next: Review + create >.

      10. Click Create

      11. In the search bar, type and then select Log Analytics workspaces.

      12. Click +Create.

      13. From the Subscription dropdown, select the subscription you want associated with this workspace.

      14. From the Resource group dropdown, select the Resource group created in Step 2.6.

      15. Enter a name for the Instance details.

        (Example: Red_Canary_Log_Analytic_workspace)

      16. From the Region dropdown, select your local region.

      17. Click Next: Tags >.

      18. Click Next: Review + create >.

      19. Click Create.

        Red Canary

      20. Select I’ve completed creating the Log Analytics workspace.

        Note: If you already have a Log Analytics workspace to collect Entra ID logs, select I already have a Log Analytics workspace setup to collect Entra ID logs, and then click Next to continue on with Step 3.

      21. Select I need to configure my Log Analytics workspace to collect Entra ID logs.


        Microsoft Entra

      22. Login to Microsoft Entra using a Security Admin account.

      23. In the search bar, type and then select Microsoft Entra ID.

      24. From the Monitoring section, click Diagnostic settings.

      25. Click + Add diagnostic setting.

      26. Enter a name for your diagnostic setting.

      27. From the Categories section, select the following:

        1. ADFSSignInLogs

        2. AuditLogs

        3. ManagedIdentitySignInLogs

        4. ServicePrincipalRiskEvents

        5. ServicePrincipalSignInLogs

        6. SignInLogs

        7. UserRiskEvents

      28. From the Destination details section, select Send to Log Analytics workspace.

      29. From the Subscription dropdown, select the subscription you want associated with this Diagnostic setting.

      30. From the Log Analytics workspace dropdown, select the workspace from Step 2.15.

      31. Click Save.

        Red Canary

      32. Select I’ve completed configuring my Log Analytics workspace to collect Entra ID logs.

      33. Click Next.

      Step 3: Configure Red Canary to integrate with your Azure Tenant

      1. Enter the Azure Tenant ID.


        Microsoft Azure

      2. To find the Tenant ID, log into Microsoft Azure.

      3. In the search bar, type and then select Tenant Properties.

      4. Copy and then paste the Tenant ID into Red Canary.


        Red Canary

      5. Enter the Log analytics Workspace ID.


        Microsoft Azure

      6. To find the Log analytics Workspace ID, log into Microsoft Azure.

      7. In the search bar, type and then select Log Analytics workspace.

      8. Click the workspace that was created in Step 2.15.

      9. Click Properties.

      10. Copy and then paste the Resource ID into Red Canary.


        Red Canary

      11. Click Save.

        Note: Red Canary will now begin provisioning your resources. This could take up to 20 minutes. The integration status will show Provisioning during this time. It will update to Active once completed.

      Step 4: Utilize Entra ID Response Actions

      Follow the steps in Response Actions for Entra ID to enable automated playbooks, configured in Red Canary, to take action in Entra ID.

      Remove Microsoft Azure from Red Canary

      Should you need to remove the Microsoft Azure integration with Red Canary, follow these steps:

      Step 1: Red Canary–Remove Microsoft Azure from Red Canary’s Integration page


      1. From your Red Canary homepage, click Integrations.

      2. Locate and then click the Microsoft Azure integration you want to remove.

      3. Click the icon.

      4. Click OK.

      Step 2: Microsoft Azure–Run the Red Canary provided script


      1. From your Microsoft Azure homepage, click Cloud Shell.

      2. From the Cloud Shell dropdown, select Bash.

      3. Click Upload File.

      4. Click Upload.

      5. Select and upload the Red Canary provided script located here.

        Note: This automated script will remove the Azure resources created during onboarding. These resources include two Azure Policies: Red Canary's role assignments to access the Subscriptions in your Management Group and a Resource Group created for exporting Microsoft Defender for Cloud alert data.

      6. From the Cloud Shell command, enter the ls command to confirm the script file appears in the output.

      7. Use the following command to grant execution permissions to the script file:

        chmod +x remove-azure-integration.sh

      8. Execute the script file:

        ./remove-azure-integration.sh AZURE_TENANT_ID

      Step 3: Microsoft Azure–Remove the Log Analytics Data Export rule for Microsoft Entra ID

      From the Cloud Shell command, enter the code below:

      1. Note: For the log-analytics-workspace-name, subscription-id, and resource-group-name below, enter your Azure related info.

        az monitor log-analytics workspace data-export delete --name RC-Entra-Data-Export \
  --workspace-name log-analytics-workspace-name --subscription subscription-id \
  --resource-group resource-group-name --yes

        1. log-analytics-workspace-name: The name of the Log Analytics Workspace used for the integration.

        2. subscription-id: The ID of the Subscription containing the Log Analytics Workspace.

        3. resource-group-name: The name of the Resource Group containing the Log Analytics Workspace.

      Step 4: Red Canary-Contact Support for removal of Diagnostic Settings

      For the Microsoft Azure Integration, Red Canary creates Diagnostic Settings on Subscription, Storage Account and Key Vault resources in your onboarded Azure environment. These Diagnostic Settings are created as a mechanism for exporting audit and activity logs for these resources to Red Canary. The previous steps do not delete these Diagnostic Settings and are left in-place until deleted. The Diagnostic Settings created by Red Canary always follow the naming convention of “RC-Logs” for identification purposes.

      For assistance with removing these Diagnostic Settings, please contact us and submit a support ticket.

      Ingest Details

      Red Canary ingests Azure Activity Logs and Defender for Cloud Alerts from Azure environments. Additionally, Red Canary integrates with Azure to scan the environment regularly to discover new subscriptions and resources.

      Red Canary collects three different types of logs from Azure:

      • Azure Entra ID Logs are collected for the entire tenant and your subscriptions. These logs include:

        • ADFSSignInLogs

        • AuditLogs

        • ManagedIdentitySignInLogs

        • NonInteractiveUserSignInLogs

        • ServicePrincipalRiskEvents

        • ServicePrincipalSignInLogs

        • SignInLogs

        • UserRiskEvents

      • Azure Activity Logs are management and control plane data collected at the subscription level. These logs include:

        • AzureActivity

      • Azure Resource Logs are logs generated by activity on a specific resource collected at the subscription level. These logs include:

        • StorageLogs

        • KeyVaultActivityLogs

      In addition, Red Canary collects Azure Defender for Cloud Alerts. When Defender for Cloud is enabled on a subscription, each Azure subscription produces its own Defender for Cloud Alerts. Red Canary then collects the Defender for Cloud alerts across an Azure environment and associates those alerts with the source subscription.

      For more information on how data is transferred from an Azure environment to Red Canary, see How Microsoft Azure Works with Red Canary.

      Finally, Red Canary integrates with Azure to scan your environment regularly to discover new subscriptions and resources. This integration is established via access policy and enables Red Canary to read your Azure environment. This policy does not allow write access. The policies used can be found in this publicly hosted Bicep file used during integration onboarding.

      Note: You may experience a potential increase in Azure costs depending on the volume of new logs exported to your Log Analytics workspace as part of the MDR for Azure integration.

      • Affected Logs: Log Analytics Workspace, Log Analytics Data Export, Platform Logs (Storage Diagnostic Settings)

      • For more information, see Pricing - Azure Monitor

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout